Collecting additional member data

unknowndomain · 16 June 2017 00:07

At the last members meeting we talked about collecting extra data about members in the membership system when they join, and retrospectively asking members to update this information.

The purpose would be to allow us to better understand where we stand on diversity, previous conversations have relied on at best assumptions by looking at data, and worst anecdotal evidence which can easily be skewed through personal biases.

Generally members seemed okay with this, but I would like to understand how members would feel about asking for the information detailed below on an entirely opt-in basis, with some promotion encouraging members to provide this information retrospectively.

For clarity the data would be stored in the membership system database, however it would be designed such that only the member who’s data it is could view and change it, even directors would be unable able to pull up this diversity information on a member-by-member basis, so in other words, a director wouldn’t be able to login, find a user and check their gender, age, sexual orientation or otherwise.

Directors would however be able to pull anonymised reports showing actual numbers of members and percentages, and a completely anonymised set of data without any additional information that would make it easier to identify them such as being an @role.

As with all systems however it would be technically possible for those with server access to view the data directly by manipulating the database, and these people would have to understand their Data Protection obligations, that prohibit this kind of use of the data.

The proposed information would be:

Age (Month and year only)
Gender
Ethnicity
National identity

Other things we could ask but I am not sure for various reasons.

Children / Dependants
Sexual orientation
Income
Employment status
Religion

peter_hellyer · 16 June 2017 09:14

There are a wide collection of standardised monitoring forms available from a range of places, maybe we could focus on one of those?

Courty · 16 June 2017 14:57

You need to tread a little carefully here. the rules on Data Protection are about to change and although were only a small organisation, we are subject to DPA and the new (2018) GDPR

The key messages of GDPR are a need to be able to justify keeping the info you have, express permission to use the data you have and have processes for people to look at and remove their data (the right to be forgotten)

Also, Data is now in two sub sections, Personal data that’s needed for general use of the business / organisation and Sensitive personal data that requires more permissions and more careful handling and is subject to stricter controls.

Personal data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation are all classified as Personal/Sensitive.

Even Pseudonymised personal data (Personal data that can no longer be attributed to a specific data subject without the use of additional information) is not exempt from the Regulation.

If you are really bored (or sad like me), here’s some bed time reading explaining the changes - your secondary list defo falls under these regulations.

TMT_DATA_Protection_Survival_Guide_Singles.pdf (2.3 MB)

Courty

unknowndomain · 16 June 2017 14:59

I am aware those are coming but the data is justifiable, it’s just about how it affects how we store it and control it no?

Courty · 16 June 2017 15:01

As long as you have a clear policy on why your collecting it, how your using it and users rights over it then yes, focus is on store and control. need both ideally

Courty

unknowndomain · 16 June 2017 15:04

My thoughts were to only collect the data we need anyways to get for example age i.e. Month + Year or just Month.

All the data is optional, the rationale being to enable us to work on our diversity.

It has previously been identified that the directors need to appoint a data controller under existing regulations, and that this EU directive was coming into force before Brexit and that we’d need to comply.

Frankly it’s incomprehensibly complicated.

Courty · 16 June 2017 15:23

GDPR is not Brexit dependant, its adopted by UK statute. We do need a data controller either way and this would normally be associated with the systems management function (we’re not big enough or complex enough to req a separate role although this is perfectly acceptable)

Rule of thumb is 'can you justify the data you’re collecting and what your are doing with it once collected. if not or you no longer need it can you delete it, and is someone checking that this is being done according to policy…

A couple of policy documents and a link to those docos on any e-forms would cover it

Courty

unknowndomain · 16 June 2017 15:31

Yeah what I meant was that if we’d already Brexited before this came into effect it wouldn’t have transferred into UK law.

Maybe you could give the directors some advice on this, but it seems justifiable to collect diversity information for a member organisation to allow us to improve it if there is an issue.

hannahintech · 17 June 2017 21:39

Why not just create an anonymous questionnaire and use that data to better understand the members?

unknowndomain · 17 June 2017 23:03

That’s the other half of the equation but this is for ongoing monitoring.

ntsbmvnk · 19 June 2017 11:59

I don’t think I should have to provide that level of information for the sake of “diversity”. Especially when there is no guarantee that the data is anonymized and could easily be tied to me.

Also would be concerning considering upcoming changes to data protection laws.

Dermot · 19 June 2017 12:21

We haven’t yet decided that we will collect this data: it’s part of a discussion about whether we need to and if it would be useful to us as an organisation in the future.

For example we don’t currently know if members are male or female from the (very little) data we currently collect, yet that feels like useful information to have if we’re pushing towards equality and inclusion. However: in a small group such as ours we may just be able to see the mix of people turning up to the space and get the information we need from that.

unknowndomain · 19 June 2017 12:23

No one is saying you would have to provide this it would be opt-in.

The data would only be accessible in a way that allows us to generate anonymous reports.

The other objective would be to implement the best practice method of storing such data such that it isn’t just stored along side your membership data in plain text where a database dump could easily identify you. Examples of this could be by way of a shared key that stores data on another server that is not connected to the internet directly, we’ll obviously be looking to find a best practice method of storing this data.

As for data protection laws, this won’t change things all that much for us as we’ve got to comply with the GDPR for the existing data we store and we will be able to legally justify this new optional data for measuring diversity.